Practical FCPA and UK Bribery Act Compliance Concepts for C-Suite and Corporate Board Members

ANTI-BRIBERY LEADERSHIP Practical FCPA and U.K. Bribery Act Compliance Concepts for the Corporate Board Member, C-Suite Executive and General Counsel Thomas Fox Jon Rydberg
ANTI-BRIBERY  LEADERSHIP Practical FCPA and U.K. Bribery Act Compliance Concepts for the Corporate Board Member, C-Suite E...

Global AntiCorruption & Anti-Bribery Leadership Practical FCPA and U.K. Bribery Act Compliance Concepts for the Corporate Board Member, C -Suite Executive and General Counsel
Global AntiCorruption   Anti-Bribery Leadership Practical FCPA and U.K. Bribery Act Compliance Concepts for the Corporate ...

Global Anti-Corruption & Anti-Bribery Leadership By Thomas Fox and Jon Rydberg Edited by Nick Briere Copyright © 2013 Thomas Fox and Jon Rydberg All rights reserved. No part of this book may be reproduced or transmitted in any form without the written permission of the author s. Information in this book is intended for public discussion and educational purposes only. It does not constitute legal advice and does not create any attorney-client relationship with the authors. ISBN-13: 978-1494763251 1|Page
Global Anti-Corruption   Anti-Bribery Leadership By Thomas Fox and Jon Rydberg Edited by Nick Briere  Copyright    2013 Th...

TABLE OF CONTENTS Page Number Who Should Read This Book 3 About the Authors 4 Preface 5 1. Why Comply with Global Anti-Corruption/Anti- Bribery Laws? 8 2. Two Prevailing Laws – The FCPA and U.K. Bribery Act 10 3. How Do Such Laws Relate to Your Business? 14 4. Creating Your Anti-Corruption/Anti-Bribery Program 18 5. Marketing Your Anti-Corruption/Anti-Bribery Program 30 6. High Risk Areas To Watch 33 7. Leveraging Internal Controls To Mitigate High Risk Areas 44 8. When the Government Comes Knocking 50 9. What Does It All Mean? 54 2|Page
TABLE OF CONTENTS  Page Number Who Should Read This Book  3  About the Authors  4  Preface  5  1. Why Comply with Global A...

Who Should Read This Book If you “believe” your organization is compliant because: (1) you provided training; (2) you have an “honest” culture; or (3) because a Federal investigator hasn’t told you otherwise, you may be putting the corporate enterprise at increased risk. There is a big difference between being “compliant” and having a “Compliance Program.” This book provides practical lessons pertaining to the FCPA, U.K. Bribery Act and broader Anti-Corruption / Anti-Bribery standards for Board Members, Chief Executive Officers, General Counsel and other corporate executives who seek to lower their enterprise risk profile by learning simple strategies from tested compliance veterans. 3|Page
Who Should Read This Book  If you    believe    your organization is compliant because   1  you provided training   2  you...

About the Authors Thomas Fox, P rincipa l of TomFoxLaw and Author Mr. Fox has practiced law in Houston for 30 years. He is now assisting companies with FCPA compliance, risk management, and international transactions. He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously Division Counsel with Halliburton Energy Services, Inc. Mr. Fox is the founder and editor of the award winning FCPA Compliance and Ethics Blog ( http://tfoxlaw.wordpr ess.com/). He has published three books on anti-bribery and anti-corruption issues: Lessons Learned on Compliance and Ethics, Best Practices Under the FCPA and Bribery Act, and GSK in China: A Game Changer in Compliance. He is a regular speaker, the author of a wide range of articles on these issues, and an avid maven on the use of social media for compliance. He podcasts at The FCPA Compliance and Ethics Report and can be reached at tfox@tfoxlaw.com. Jon Rydberg, CEO of Orchid Advisors and Author Mr. Rydberg has served as a global Big 4 audit, compliance, and business consulting executive for approximately 20 years. He was most recently the Chief Compliance Officer and VP, Internal Audit at Smith & Wesson and was previously employed by such leaders as Ernst & Young, Protiviti, and United Technologies, a worldwide Fortune 50 conglomerate. He served public Board members, CEOs and CFOs on high profile matters pertaining to corporate fraud and SEC financial reporting scandals, Federal FCPA investigations, Sarbanes-Oxley material weakness remediation and the optimization of internal audit programs for billion dollar entities. Mr. Rydberg was responsible for implementing a full-scale compliance and anticorruption/anti-bribery program in the wake of an industry-wide DOJ/SEC-led FCPA sting. He is also author of The Four Pillars of Firearm Compliance, a text focused on transforming ATF compliance in the Firearms Industry and has featured in such media sites as the Wall Street Journal and CNBC. Mr. Rydberg also served in the role of global Aerospace & Defense industry practice leader and held additional positions with the Department of Homeland Security (DHS) Manufacturing Industry Sector Board and as an Executive Committee Member of the DHS Manufacturing Supply Chain Team, APICS, the IIA and Mensa. He holds a Secret Clearance and is a Certified Management Accountant (CMA), Certified Production and Inventory Management (CPIM), 4|Page
About the Authors  Thomas Fox, P rincipa l of TomFoxLaw and Author  Mr. Fox has practiced law in Houston for 30 years. He ...

Project Management Professional (PMP), and a Certified Internal Auditor (CIA). And, he holds three U.S. Patents and is a BSME, MBA and MACC (partial). Mr. Rydberg is now transforming the Compliance Ecosystem as CEO of Orchid Advisors, a strategic management consultancy focused on transforming the worlds of audit and compliance. The firm provides experts in ATF compliance, State firearms compliance, anti-corruption/bribery, ITAR, import, export, and SarbanesOxley. Its early entry market is the Firearms Industry, where Orchid counts among its customers the top manufacturers in the world. Orchid clients hire the firm to reinvent business processes, implement technology and big data solutions to support that change, and transform their compliance culture. Orchid Advisors brings the depth and breadth of Big Four consulting with the innovation, thought leadership, and economies of a boutique analyst firm. More information about the firm’s four service lines of Compliance Consulting, Compliance Technology, Business Consulting, and Internal Audit may be found at www.orchidadvisors.com. 5|Page
Project Management Professional  PMP , and a Certified Internal Auditor  CIA . And, he holds three U.S. Patents and is a B...

P reface “P ut simp ly, the prospect of significant prison sentences for individuals should make clear to every corporate executive, every board member, and every employee that we seek to hold you personally accountable for FCP A vio lations.” Lanny Breuer, Assistant Attorney General, Criminal Division, U.S. Department of Justice, February 2010 In 2010, Mr. Breuer made the full-bodied statement above. Using language that lacked the slightest hint of normal “government-speak,” he made it very clear that any individual caught violating the Foreign Corrupt Practices Act (FCPA) would be held accountable for his or her actions and that the U.S. Department of Justice’s (DOJ) enforcement of the FCPA would include the full force of the U.S. government. One would think that “the prospect of significant prison sentences” would go a long way toward establish ing an effective deterrent. So why then are U.S. organizations continually levied billions of dollars in fines for vio lations of the Foreign Corrupt P ractices Act? If the mantra “Simply put, don't bribe” holds true, then maintaining compliance should be easy, right? Not necessarily. The Federal Government has established what it believes is a reasonable standard for preventing and detecting noncompliant behavior pertinent to any Federal regulation. Organizations that conduct business in the U.S. or abroad must protect their stakeholders and shareholders by meeting or exceeding the standards set forth in the Federal Sentencing Guidelines § 8b2.1, “[An] Effective Compliance and Ethics Program.” Federal investigations are long. They are costly. They are painful and impact more than just your legal department. Imagine losing the ability to ship to key markets for an extended period of time. Would you like an independent monitor watching every employee transaction across your enterprise? Our guess is probably not. Although global anti-corruption /anti-bribery standards are quickly developing and taking hold around the world, the standards and cultural norms for operating a global business still vary widely. Until those standards become uniform, and until human nature ceases to be human nature, compliance with the FCPA and similar anti-corruption/anti-bribery regulations shouldn’t rest exclusively on training and a “faith in compliance.” Additionally, one of our chief reasons for writing this book was to reinforce the belief that compliance – both in general and as it pertains to the anti6|Page
P reface    P ut simp ly, the prospect of significant prison sentences for individuals should make clear to every corporat...

corruption/anti-compliance – should be viewed, like quality and safety, as an equal business metric. Although compliance should not be designed to impede efficient business operations, it should be part of the decision-making process. In fact, bestin-class compliance programs are enablers of planned and measured risk -taking. Finally, this book is in no way meant to serve as a legal reference, nor as a formal interpretation of law. For any questions pertaining to the interpretation of global anti-corruption and anti-bribery standards, the reader should seek out the advice of a qualified legal professional. Before you begin, take out a pen and piece of paper. Document your answers to these questions and we will compare your level of understanding at the end of our book. • • • • • • How does your organization limit the risk of non-compliance? Can you list the controls? Do you know what the prevailing standard and U.S. Government expectations are for a compliance program? Can you point to (or touch) your compliance program? What about your ethics program? How do you mitigate the risk of bribery? How do you mitigate inappropriate disbursements? When was your last independent anti-corruption /anti-bribery program audit? 7|Page
corruption anti-compliance     should be viewed, like quality and safety, as an equal business metric. Although compliance...

Chapter 1: Why Comply with Global Anti-Corruption/Anti-Bribery Laws? The high volume of fines levied by the U.S. government resulting from investigations into violations of the Foreign Corrupt Practices Act demonstrates the extent and maturity of existing U.S. anti-corruption/anti-bribery programs, as well as the extent of pain felt across the corporate landscape. When asked, “What element of FCPA compliance do organizations lack most?” we often respond with “Confusion between the concepts of Compliance and a Compliance Program.” Some organizations simply don’t know the difference. • • • • • • Do companies really understand the requirements of a robust anticorruption/anti-compliance compliance program? Do they understand where the company stands in terms of compliance with prevailing laws such as the FCPA and U.K. Bribery Act? Do they understand related laws in other local countries in which they conduct business transactions? Do they understand the risks of being non -compliant? Is the company engaging in risky behavior in its dealings overseas, and if so, are they aware of it? Do companies have real-time visibility into their transactions with monitoring dashboards? We once had a client that asked for an evaluation of their Ethics Program. After a short review, it was concluded that a Program did not exist. The Vice President of Human Resources was angered by the conclusion. “How can you say that? We are run like a family – our employees are trustworthy and we are definitely ethical and compliant.” We asked again, as a Federal investigator would, “Can you please provide us with evidence of your Ethics Program ?” The client could point to nothing other than training and a family-oriented culture. Obviously anti-corruption /anti-bribery training is important – but the DOJ’s expectation includes the existence of Program elements as listed in § 8b2.1. That means something tangible, promoted, audited, measured, and improved. Granted, it is difficult to control the behavior of every employee, contractor , or sales agent in a large, international organization; but there must be a higher level of awareness and institutional priority around building and maintaining an effective program. This simply is not optional. More appropriately stated, compliance, like quality, safety, and ethics, must be embedded into the fabric of the business. These elements all should have the 8|Page
Chapter 1  Why Comply with Global Anti-Corruption Anti-Bribery Laws  The high volume of fines levied by the U.S. governmen...

underlying foundation in the organization’s Mission, Vision, Values, and Code of Conduct, and end with a continuous and transparent evaluation of itself. The DOJ and the Securities and Exchange Commission (SEC) assess an average of 50+ U.S. FCPA violation cases each year. And while that may not seem like a large number considering how many U.S. firms operate internationally, it’s a huge caseload for the Federal regulators because of the time and resources necessary to mount an FCPA investigation. The consequences of an FCP A vio lation are serious. An individual found in vio lation of F CP A can be sentenced to five years in prison and fined up to $250,000 per instance of vio lation; companies can be fined up to $2 million per instance. An F CP A investigation could invo lve dozens or hundreds of instances. Even if there is no prison sentence, the fines alone can add up quickly. But perhaps most impactful is: (1) P ublic announcement of the in vestigation; (2) Derivative lawsuits; (3) Inability to sell into key markets; (4) loss of long-term relationships; and (5) The threat of an independent monitor. Is it really worth it? While the fines can be very expensive and the threat of prison time is enough make anyone nervous, the real cost is in the personal and professional years lost while under investigation. The DOJ and SEC have been known to be slow and deliberative in their investigative process. Consequently, a company under investigation can expect to expend incredible amounts of time and resources to fulfill investigator needs. Part of what makes these investigations so incredibly detailed and time-consuming is that the process of interpreting violations can be very subjective. For instance, the U.S. law speaks to the “intent to bribe.” How does the Government determine that a company and its employees had the intent to bribe? Investigators end up pouring over hundreds of thousands—if not millions—of emails, trying to interpret possible out-of-context words an employee used in conversation years ago. Was that person joking or serious? Did this conversation represent the intent to bribe? These are hard questions to answer. 9|Page
underlying foundation in the organization   s Mission, Vision, Values, and Code of Conduct, and end with a continuous and ...

Chapter 2: Two Prevailing Laws – The FCPA and U.K. Bribery Act There is a growing focus on the part of worldwide governments and businesses alike on the subject of anti-bribery and anti-corruption. The two most prevalent legislative efforts toward progressing this goal are the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act. The Foreign Corrupt Practices Act of 1977 was enacted by the U.S. Congress and signed into law by President Jimmy Carter with the goal of stopping what had become a pattern of bribery, particularly the bribing of foreign officials by U.S. companies and individuals. The impetus for creating the FCPA arose out of extensive investigations in the 1970s by the SEC, which found more than 400 U.S. companies admitting to illegal (or , at minimum, “questionable”) payments to foreign officials. These payments were made to induce favorable business outcomes and amounted to more than $300 million. At the time, the act of bribery was not technically illegal; however, the act hiding such behavior from a company’s shareholders was, and brought the scandal to both the SEC’s and public’s attention. This contributed heavily to an atmosphere of anti-corruption and lead to the adoption of the Foreign Corrupt Practices Act. Regardless of the laws – then or now – we all know that bribery and corruption are both irrevocably unethical and that leaders should seek to exclude them from their organization s. Understanding the Foreign Corrupt Practices Act The Foreign Corrupt Practices Act is about bribery, plain and simple. There are two prominent themes of the FCPA. The first, the anti-bribery provisions , makes it illegal to bribe any foreign official. The second, the books and records provision , mandates that companies keep accurate records pertaining to transactions involving foreign business activity, notwithstanding existing SEC rules relating to the accuracy of all financial recordkeeping. Anti-Bribery Provisions Simply stated, the FCPA makes it illegal for a U.S. company or individual to bribe a foreign official. The definition of foreign official is broad and can include government officials and their family members, administrators at a governmentowned or managed institution, and quasi-government agencies that are owned both privately and by local governments. Also falling under the jurisdiction of the FCPA are employees of international organizations, like the United Nations. Under the Act, a bribe is the offer of anything of value – cash, merchandise, property, services, etc. The real focus is on the intent to bribe or influence, not on the amount or value of the bribe (or even whether or not the bribe ultimately took place or if any benefit was received). It is also illegal to have any knowledge of a 10 | P a g e
Chapter 2  Two Prevailing Laws     The FCPA and U.K. Bribery Act There is a growing focus on the part of worldwide governm...

bribe, to supervise a bribe, or to fail to report a bribe. In short, pretty much anything associated with bribery of a foreign official is illegal under the FCPA. The only exceptions are in some pretty extreme hostage situations—so extreme that they really aren’t germane to this book. Books and Records Provisions The FCPA also requires companies whose securities are listed in the United States to make and keep books and records that accurately and fairly reflect the transactions of the corporation and maintain an adequate system of internal accounting controls. In essence, if a company is conducting business with foreign entities, it must be able to substantiate and produce records for any overseas transactions. These transactions range from travel and entertainment, to free product, to international offsets, to agent sales commissions, and to everything in between. These accounting provisions were designed to operate in tandem with the antibribery provisions of the FCPA and the two are often evaluated together in the course of a government-led investigation. You might read the above paragraphs and believe the FCPA is not applicable to you and/or your organization. “We don’t conduct business with foreign governments and therefore this is not of concern.” On the contrary. Take the following, for example: • • A bribe or any intent to influence a transaction whose end user, buyer, or decision maker is unrelated to a foreign government may still be subject to the same level of legal risk. The government may view your domestic distributors, who sell internationally, as legal extensions of your organization although they are technically not. Who m you do business with and the expectations that you establish with those parties are subject to such concern. The U.K. Bribery Act Globally, the standards for anti-bribery have broadened far beyond the FCPA and should be viewed in the general context of anti-corruption, anti-bribery, or even as a core tenant in corporate ethics. The U.K. Bribery Act is the most prominent expansion from the U.S. rules, in which the historical view about “bribery with foreign officials” is greatly expanded upon to include not only organizations and governments but individuals and commercial transactions as well. If one wanted evidence that the world is evolving toward fighting bribery and corruption, the U.K. Bribery Act would be a great indicator of this trend. In 2010, the British Parliament enacted the Bribery Act 2010 (widely known as the U.K. 11 | P a g e
bribe, to supervise a bribe, or to fail to report a bribe. In short, pretty much anything associated with bribery of a for...

Bribery Act). The legislation was initiated on recommendations from the British Serious Fraud Office (SFO) and, in many ways, is far more comprehensive and far-reaching than the FCPA. Businesses that base their internal anti-corruption and anti-bribery compliance programs on the U.K. Bribery Act may in fact be using a more comprehensive standard. This is because the U.K. Bribery Act goes much further than the FCPA. Unlike the FCPA, the U.K. Bribery Act prohibits any type of bribery whatsoever. It doesn’t matter if it’s bribery of a foreign citizen, a domestic citizen, a foreign government official or a domestic one. It doesn ’t matter if it’s a corporation or a neighbor ; bribery of any kind is prohibited. The Growing Anti-Bribery/Anti-Corruption Push Around The Globe The world is truly becoming a global marketplace. With multi-million international business deals affecting the lives and safety of the public, there is an ever-increasing need for common standards and practices. There is a push to establish such common standards in many industries – a good example is the International Financial Reporting Standard (IFRS) , which has been advocated to establish standardization in financial reporting between U.S. and international companies. It’s evidence that the world is connecting. This big-picture and global trend toward interconnectivity is affecting the way corruption and bribery are perceived and treated in countries all around the world. Anti-corruption and anti-bribery regulations are emerging in countries globally – even in countries where it had never really been a prominent concern. In some cases, this conflicts with the cultural norms of nations that rely on offering something of value in exchange for a desired outcome. In some places, that is just the way things are done; it’s the way of business, a cultural heritage. However, a key goal of this globalization of ethics is for every country in the world to make the bribery of its own government officials illegal. If there was ever any doubt as to this singular need, consider the recent investigations in China over Western companies led by GlaxoSmithKline (GSK). The Chinese government announced they would no longer tolerate Western companies engaging in bribery and corruption of their government officials. The key point from the GSK case is that the Chinese enforced their own domestic antibribery laws. So now companies can face prosecution under the FCPA, U.K. Bribery Act, or a country’s domestic law for engaging in bribery and corruption. 12 | P a g e
Bribery Act . The legislation was initiated on recommendations from the British Serious Fraud Office  SFO  and, in many wa...

The business environment is changing and laws surrounding bribery, corruption, and ethics are growing in complexity, necessitating a comprehensive program to ensure compliance with the FCPA (at minimum ). 13 | P a g e
The business environment is changing and laws surrounding bribery, corruption, and ethics are growing in complexity, neces...

Chapter 3: How Do Such Laws Relate to Your Business? In order to design an effective anti-corruption/anti-bribery program, it is critical that you understand and define the nature of your business. Consider, for example, such issues as who are you selling to, how you sell to them, and what is your sales and distribution model? As rudimentary as it might seem, the answers can have a significant impact on the complexity of your final program. Let’s look at these issues now. Who are you selling to ? A company that sells directly to commercial third parties or consumers, never interacting with any government officials in any foreign country, has less FCPA risk than a company that contracts with or sells to a foreign official, engaged in third party negotiations or uses offsets as contractual obligations. Sounds basic, but “Who are you selling to ?” is a key first question to ask yourself. The question should consider the following non -exhaustive list of buyer types: • • • • • • • • Domestic commercial Domestic government International commercial International government Quasi-international government (part private, part government) U.S. Government-sponsored sales to international governments U.S. or international government agents for personal use Government or commercially-run buying groups Each of these scenarios brings with it its own set of risks and design considerations for your program. Do you know, for example, how to handle transactions with quasi-government bodies? What are the rules? And if you don’t know, how do you think your sales personnel and accounts payable team will know? How do you sell? The nature of your sales process can vary widely. Much of that is driven by the industry in which you operate and the nature of the “offering.” In other words, are you selling products, services, or both? These offerings can be sold in a number of ways, but consider the varied risk profile in the following models, ranked from lowest to highest risk. • Retail Point of Sale (POS) – Potentially lowest risk 14 | P a g e
Chapter 3  How Do Such Laws Relate to Your Business  In order to design an effective anti-corruption anti-bribery program,...

• • • • • • • • • • • • • Commercial purchase order/invoice (with or without a contract) Fixed price or time and material arrangements Catalogue pricing Discounted pricing Volume-based pricing with free, good incentives Negotiated pricing Pricing with built-in promises of return, such as International Offset programs or accompanied free goods Bartering in the sales process Inclusion of suppliers or other parties in the sales process Use of warranty centers License of your product through international manufacturers Use of other business partners or joint venture partners Use of third party lobbyists or distant contract “sales consultants” – Potentially h ighest risk This list could go on to include a few more, but the point is clear. A retail point of sales transaction is less likely to include opportunities for bribery. A negotiated contract with discounted pricing, in which you pay a third party to prepare a proposal and interact with a foreign government on your behalf, would offer relatively higher risk. What is your sales and distribution model? Do you sell directly to end -users? Or do you sell through wholesalers, distributors, and retailers? Do you use an internal sales force or third party commissioned sales agents? Commissioned sales agents will definitely add complexity to the mix and could be highly scrutinized by regulators. What commission is “appropriate” depends on many factors, including the culture of the country in which you are doing business and the nature the industry. The first question that a regulator might ask is about sales commission and the determination of how “excessive” it is (or isn’t). Of course, that is a question with frequently subjective answer. In some industries, the “business norm” for commissions can be in the “1% to 5%” range, while in others the norm may be in the “25% to 30% ” range. The respective government might consider the latter to be “a lot of money,” and consequently will see incentive to consummate a deal. Consider your commission structure and the appropriateness of amount in the context of your operating environment. More importantly, determine if the commission can be tied to some tangible work product or a process/service that added value to the transaction. 15 | P a g e
                                                     Commercial purchase order invoice  with or without a contract  Fixed ...

If you ’re a manufacturer, you might sell to a distributor at a reduced cost. This distributor will then likely sell the product with a profitable markup. Depending on market conditions, it would be common to offer such distributor s additional discounts, volume purchases, or other kinds of business norms when operating in a foreign country. “What does the distributor do with that extra money?” a regulatory might ask. “Is it simply profit? Or is it being used to influence a foreign official?” Your distribution contracts need to spell out the acceptable uses of any discounts or promotional funds to avoid any potential FCPA violations. Suffice it to say that different industries will have different risk profiles. Take the construction industry for example. With huge infrastructure projects all over the world, construction firms can have a high er-than -average FCPA risk profile. Why? First, most of the contracts are administered by or through the foreign government, quasi-government entities, and government officials. Second, the method by which the contracts are paid can be complicated —many are based on adherence to a set schedule, offering monetary incentives for on -time completion. It can be difficult to truly value the services rendered. You need to define the industry in which you operate (and its level of risk), the part of the world in which you are operating (this will define the prevalence of corruption), to who m you are selling products or services, how many steps there are in the distribution model, and who are the parties are and how they are connected to you. A critical consideration to understanding your business risk is identifying where on the globe you operate. Transparency International (www.transparency.org/) is an organization that studies and monitors the relative level of corruption around the world on a country-by-country basis. The organization generates a Corruption Performance Index (CPI, www.transparency.org/research/cpi/overview) which ranks countries on their corruption levels, ranging from Singapore as a low risk/low corruption environment, to Afghanistan and Iraq which represent high risk/high corruption environments. It’s critical to measure environmental considerations—that is to say, the political and economic stability of the geographic environment in which you’re doing business. Is corruption a part of their culture? As you can imagine, some foreign governments are corrupt themselves and might require bribes in order to do business in or with their country. We know you’ve provided “FCP A Train ing” to your organization, but is your program designed with internal controls that are individually applicable to the scenarios noted above? 16 | P a g e
If you    re a manufacturer, you might sell to a distributor at a reduced cost. This distributor will then likely sell the...

Remember, you ’re responsible for running your business in a way that is compliant with the anti-corruption and anti-bribery standards. It doesn ’t matter what everyone else is doing or what is culturally acceptable. The excuses “I didn’t know it was wrong” or “We trained our people” won’t suffice. 17 | P a g e
Remember, you    re responsible for running your business in a way that is compliant with the anti-corruption and anti-bri...

Chapter 4: Creating Your Anti-Corruption/Anti-Bribery Program The underlying principles of every anti-corruption/anti-bribery program should be the same. That is, the regulations and requirements with which you’re required to comply remain predominantly the same. The risk profile, extent of controls, and methods/tools deployed are what vary. However, implementing a program that meets the necessary standards in a practical way can be a complicated, multi-year endeavor, requiring continued adjustment and maintenance. Sure, there’s a basic structure; but there is no readyto-go, “one size fits all” anti-corruption/anti-bribery program. Establishing A Framework The Federal Government has clear expectations for what defines an “effective compliance and ethics program.” As noted earlier, those expectations are clearly outlined in Chapter 8, Part B 2.1 of the Federal Sentencing Guidelines (www.ussc.gov/Guidelines/) and include the following as paraphrased: • • • • • • • Leadership and Tone from The Top A Commitment to Compliance – Beyond the Tone Measurement: Set at Zero Tolerance; There is No Materiality Standard for Corruption and Bribery Standards and Procedures Education and Training Efforts to Exclude Prohibited Personnel with Due Diligence Validation and Oversight Let’s review each of these in turn. Leadership and Tone at the Top Both the U.S. Federal Sentencing Guidelines and the Organization for Economic Co-operation and Development’s (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance consider a best practice program to start with an unbreakable “Tone at the Top.” The FSG reads: “High -level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” 18 | P a g e
Chapter 4  Creating Your Anti-Corruption Anti-Bribery Program The underlying principles of every anti-corruption anti-brib...

The OECD Good Practice Guidance reads: “Strong, explicit and visible support and commitment from senior management to the company's internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery.” Everyone understands that a company leader must set the tone that the entity will not engage in corruption or bribery. However, “tone-at-the-top” encompasses more than simply saying the right things. It represents a commitment to compliance, far beyond the “tone.” A Commitment To Compliance – Beyond the Tone Compliance can be occasionally seen as a priority that competes with the achievement of top -and-bottom -line financial goals. One of the most pr ioritized tasks that corporate leadership can undertake is to ensure that these two elements do not compete, but rather exist synergistically. Leadership from senior executives is required to ensure that compliance objectives are achieved despite the possible distraction from competing objectives. Typically, demonstrating such a commitment consists of any one or more of the following actions: • • • • • • • • Hiring of a dedicated Chief Compliance Officer who has a direct, independent reporting relationship to either the Board of Directors or the Audit Committee of the Board of Directors; Creating a cross-functional business and ethics council tasked with promoting a compliance and ethics program. Ideally, this council should also provide some independent oversight of higher-risk business transactions; Developing a respectful, collaborative working relationship between the Board, C-Suite, Internal Audit and Legal/Compliance; Being part of the selection and training of senior managers to lead anticorruption/anti-bribery work ; Creating an independent reporting hotline (“whistleblower”) and providing of methods to promote it through company posters, pamphlets, and events; Providing leadership on key tools, such as a code of conduct or independent auditing of one’s own actions; Endorsing all publications related to the prevention of corruption and/or bribery; Leading the company in awareness and encouraging a transparent dialogue to ensure the effective dissemination of anti-bribery and anti-corruption policies and procedures to employees; 19 | P a g e
The OECD Good Practice Guidance reads     Strong, explicit and visible support and commitment from senior management to th...

• • • • • • Remaining engaged and/or involved in oversight of appropriate third party business partners; Demonstrating leadership through relevant external bodies—such as industry trade groups and the media—to help articulate both the company’s overall compliance efforts and the industry commitment in the fight against bribery and corruption; Remaining involved in high profile and critical decision -making when appropriate; Assuring that not only is an appropriate risk assessment conducted , but that it informs the company’s anti-corruption and anti-bribery compliance program; Demonstrating oversight of procedure violation; and, Providing feedback to the company’s Board of Directors or equivalent, where appropriate, on levels of compliance. A commitment to compliance can be articulated with three words: leadership , ownership, and accountability. Without all three concepts firmly in place, your best compliance efforts could fail. Leadership - Demonstrated by making compliance with rules and regulations an equal metric, on par with quality, safety, and financial performance. • • • • Business metrics are measurable goals of an organization that establish its short or long-term direction. Although these metrics may be financially oriented, it is a best practice to run the business with a “balanced scorecard.” Furthermore, at least one metric should relate to the long-term, continuous improvement of compliance, safety, and other areas that form good corporate stewardship. Mature organization s may use elements of Enterprise Risk Management (ERM) as a methodology for linking risk events (e.g., bribery driven by a foreign sales agent) with operational objectives ( e.g., selling in to a given international market). Compliance functions should have a voice at periodic meetings with the: Board of Directors, Audit Committee, and Executive Management team (i.e., staff meetings). Furthermore, dedicated time should be set on the agenda to ensure consistent reporting. Company-wide communications should balance financial, operational, and compliance matters. As with our prior recommendations, balance is critical to achieving desired outcomes. Best-in-class companies integrate company presentations with an overview of critical risk management areas, such as compliance and safety. 20 | P a g e
                          Remaining engaged and or involved in oversight of appropriate third party business partners  Dem...

Ownership - Individual responsibilities should be established in the company’s organization chart and throughout its job descriptions; otherwise, it becomes intangible and cannot be measured or managed. It is important to distinguish between those who are: • • • • “Responsible” for compliance: Everyone is responsible for being compliant. For example, the individuals who process sales transactions, commission payments, shipments of free goods, and shipments of finished goods have the greatest day-to-day impact on an organization’s compliance. These “transaction -level” resources have as much, if not more, “responsibility” for achieving compliance. “Accountable” for compliance: These are the individuals that provide the resources and oversight for ensuring effective execution. They are the tone-setters and should also be held accountable for the compliance results in their functional areas. They are typically supervisors or members of management. “Advisors” of compliance: These are the individuals who interpret rulings and advise the business on the boundaries of compliance. They are typically members of a legal or compliance function. “Monitors” of compliance: These are independent personnel who are charged with the assessment of the organization’s compliance with established policies and procedures. They are typically members of an audit or quality function. Accountability - Without accountability, your compliance efforts could be meaningless. Directives of middle and upper-management may get ignored by those employees who know that, despite their actions, they will not be held accountable. Accountability is the glue that binds policies, procedures, and execution together. Measurement: Set at Zero Tolerance; There is No Materiality Standard for Corruption and Bribery There are several steps that a company can take to establish a zero-tolerance policy towards corruption and bribery. For instance, there could be a formal, written statement establishing policies that direct the business towards an atmosphere of integrity and compliance. In fact, there can be several forms of communication, which might be tailored to different audiences within the company. Ideally, these would be generally available on a company’s intranet and internet site. Let’s look at what a formal statement might include. Cornerstones of a formal statement might include: 21 | P a g e
Ownership - Individual responsibilities should be established in the company   s organization chart and throughout its job...

• • • • • • • • A commitment to carry out business fairly, honestly, openly, and with transparency; A commitment to zero-tolerance towards corruption and bribery; The negative consequences of breaching the policy for both general employees and managers; The negative consequences of breaching contractual provisions relating to anti-corruption and anti-bribery prevention formally sent and/or communicated to channel partners; A statement of the benefits of rejecting bribery for both the company and its employees. This would include the reputation of the company with customers, the confidence of its business partners, and the incentives for employees to do business in a compliant manner; A clear communication that key company individuals and departments are involved in the development and implementation of the company’s anticorruption and anti-bribery prevention procedures; and , Reference to the company’s public-facing involvement in any collective action against corruption and bribery in its business sector; or, A reference to the range of anti-corruption/anti-bribery prevention procedures the company has or is putting in place. This should includ e any protection and procedures for confidential reporting of bribery such as anonymous reporting through a helpline or hotline. This inclusion is arguably the most vital of all previously listed. Standards and Procedures Standards (or p olicies) are an organization’s written rules in response to the law and/or other company expectations. Procedures (or work instructions) provide employees with the methods to achieve compliance with those policies. These standards and procedures are critical towards achieving and maintaining compliance for the following reasons: • • • Personnel join and leave the organization and knowledge needs to be retained; Lack of written standards can lead to variability in transaction quality; and, Employees only retain a small percentage of the information that they receive through training sessions. Written reference material is critical to increasing the likelihood that the activities of employees will remain compliant. 22 | P a g e
                                  A commitment to carry out business fairly, honestly, openly, and with transparency  A co...

How does a company decide what its standards and procedures should be? Well, by asking basic questions about the business, how it works, and where it conducts business. Here are some examples: • • • • • • • Will the company do business in countries with high corruption ratings, as defined by the Transparency International Corruption Perception Index? Will the company use an internal sales force? Or will that function be outsourced? If the company will use an external or outsourced sales force, will they commission based? Does the company offer a standard set of discounts? Or will it vary them by country? Does the company offer free promotional product? What type of individual is allowed to work for the organization and in what departments? What standards have been set for contractors or third party agents? Other areas where standards need to be set include email and communications, travel and entertainment, gifts, and ethical behavior for the organization. Many of these are items are inherent to a well-written Code of Conduct and Corporate Policy set. While there are several methods for making standards and procedures available to employees, the follow ing key factors should be considered: • • • • There should be a formal process for developing, releasing, changing, and deleting policies and procedures documentation. The process should be standardized, repeatable, and, ideally, managed by an independent resource in the organization. All draft documentation should be reviewed by critical stakeholders of the organization. As an example, legal, compliance, and operations management should review and jointly agree upon final drafts that are then approved by higher levels of management (VPs and C-suite executives), depending on the size and structure of the organization. There should be a formal process for communicating new or revised policy and procedure documentation. There should be a formal process for controlling and distributing the policies and procedures documentation , including, but not limited to : hardcopy distribution that is maintained in a central, controlled department binder; revision -controlled handbooks that can be distributed at the employee desk level; and online and web-based repositories. 23 | P a g e
How does a company decide what its standards and procedures should be  Well, by asking basic questions about the business,...

Recommended standards and procedures might, amongst others, include the following: • • • • • • • • • • • • • • A Code of Conduct and Ethics An Anti-Corruption /Anti- Bribery Program A List Of Prohibited Activities (Bribery; Corruption; Facilitation Payments; Inappropriate Political Contributions) Conflicts of Interest Gift and Gratuities Travel and Entertainment Free Goods and Promotional Activities Delegation of Authority and Approval Matrix Third Party and Employee Due Diligence Procedures Contract, Pricing, and Commission Standards Accounts Payable, Accounts Receivable, and Disbursements An Internal Audit Charter and Annual Internal Audit Plan An Audit and Investigations Policy A Corrective Actions Process Education and Training Education and training can come in many different forms. While everyone in the organization should be trained on core ethics and compliance principles, some may require deeper levels of teaching. For example, those employees involved in international sales and marketing, legal, compliance, and the accounting departments have a greater responsibility due to their roles as international transaction “control owners.” Having a deeper level of knowledge becomes a great aid in stopping FCPA issues before they happen. An organization’s investment in education and training does not need to be significant in order to be effective. In fact, small investments in this area often have the greatest bang for the compliance buck. While solid business processes and system controls can limit the risk of undesired outcomes, it is the mass of employees who process transactions that have the single greatest impact on achieving compliance. Judgment often becomes a key element in doing the right thing. How proper training is achieved is dependent upon an organization’s size, technological infrastructure, and existing culture. But, regardless of those factors, there is no more effective method than a program of in-person training that provides employees with the ability to ask questions and receive direct answers. 24 | P a g e
Recommended standards and procedures might, amongst others, include the following                                         ...

We recommend a balanced approach to training that may include some of the following methods of delivery: • • • • • Annual, in-person training focused on tone setting, the basic premises of the law, and areas of high risk. Short interval, quarterly online training used to reinforce a central message. On-demand training materials that can be made available through online university systems, such as Corpedia, LRN, WeComply, SkillSoft, Cogentys, SABA, Click4Compliance, and SuccessFactors, amongst others. The advantages of such materials are numerous, including longterm development of employees and the potential integration of training efforts with your suppliers and sales channel partners. Laminated reference materials co -located with transaction processing. Localized, public posting of key rules. This can be accomplished via laminated posters or desk trinkets. Efforts to Exclude Prohibited Personnel with Due Diligence While most compliance practitioners are certainly aware of the need to perform due diligence, they may not understand its continued role in third party relationships. From this perspective, they can be divided into past, present, and future. Past - Obviously, your company wants to know with who m they are doing business, and whether the person or entity is a channel partner, joint venture partner, or exists under some other business relationship. This is also true for acquisitions. But due diligence is more important than providing a “check -the-box” activity pertaining to the past activities of a third party; it is an important tool in the overall international efforts to fight corruption and bribery. It supports your company’s Code of Conduct, protects your reputation , and allows the early discovery of deal-breakers before it’s too late. Due diligence will also help provide a legal defense to anti-corruption /anti-bribery laws, like the Foreign Corrupt Practices Act or U.K. Bribery Act. In addition to background and reputation, you need to know third party qualifications before engaging in business. Present – So what are some types of information that you should obtain in due diligence? The following is a good place to start. • Identification: It is important to obtain basic identification information on a third party. This includes names, addresses, phone numbers, basic license information, the identities of officers, directors, shareholders, and those who will handle your business and/or be your point of contact. You 25 | P a g e
We recommend a balanced approach to training that may include some of the following methods of delivery                   ...

• • • • • need to obtain corporate regulatory and partnership filings, a list of countries where the third party does business, and find out if there have been any name changes in the past five years. Financial: Your financial review should be based on three years of audited financial records (if any). Capabilities: Your review should include a review of the party’s facilities, support services, amount of work outsourced, number of employees, and number of years in business. You should also ask for a list of its top 10 customers. Government Exposure: You need to determine if the third party does business with any foreign governments or government officials and if there are any government officials otherwise involved with the third party. This extends to relatives and close friends of government officials. Enforcement Actions: Here, you need to determine if the party or any of its officials have ever been charged with criminal conduct or been party to criminal proceedings. You also need to make the same inquiries for civil proceedings and/or regulatory actions. It is advisable to review news media stories on the party. Internal Control Environment: You should review the party’s compliance program, including their Code of Conduct. You should also test their employees’ familiarity with the FCPA and/or Bribery Act. See if the company has a written policy regarding gifts, travel and entertainment, and if the employees are trained on pertinent elements of compliance. Future - The future involves proactive diligence, enabling you to identify red flags in the diligence process before you engage in business with an unwanted party. Diligence, along-side strong contracting and third party training, will become an indispensable tool in your overall enterprise risk management efforts. It is considered a best practice to share your Code of Conduct with third parties and draw attention to internal reporting hotlines for questions and concerns. Key considerations include: • • • Clearly communicating that bribery and corruption are not tolerated ; Us ing your due diligence to review and improve existing contracts; and, Suggesting that the third party adopt a compliance program similar to yours. Alternatively, you may provide training on specific issues. It is important to note that the “future tense” also speaks to the n eed for ongoing due diligence monitoring, a critical element and best practice for every program. This is simply because things change. A key partner could be formally charged with a crime two days after closing a contract and only weeks after having performed your “static diligence.” The absence of ongoing monitoring will result 26 | P a g e
                        need to obtain corporate regulatory and partnership filings, a list of countries where the third p...

in little insight into this information. The “future” should really be an indication of perpetuity as well as providence. Practically speaking, diligence can be performed many ways. In our careers, we have made use of materials and services provided by: • • • • • • Transparency International Google (and other basic internet search tools) World Compliance (www.worldcompliance.com ) World-Check (www.world -check.com ) Dow Jones Factiva (www.dowjones.com/factiva/) U.S. OFAC databases (https://ofac.data-list-search.com/Search/Simple) It is important to note that best-in-class vetting systems fully integrate into modernday ERP systems. Prior to the execution of any transaction, the system performs a real-time background check on selected parties for diligence issues with respect to FCPA, U.K. Bribery Act, ITAR, and much more. Validation and Oversight In the compliance world, process validation comes through oversight. More than one of the compliance program standards in the FSG call for companies to monitor, audit, and respond quickly to allegations of misconduct. These highlighted activities are key components for which enforcement officials will look when determining whether companies maintain adequate oversight of their compliance programs. Many companies fall short when it comes to effective monitoring. Oftentimes, this can be attributed to a general confusion regarding the differences between monitoring and auditing. • • Monitoring is management’s commitment to reviewing and detecting transaction errors in real-time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is an independent , targeted, and in-depth review of specific business processes, systems, or transactions. You should not assume that because your company conducts independent audits that it is effectively monitoring. In fact, per the Institute of Internal Auditors (or the IIA) , it is Internal Audit’s responsibility to evaluate the effectiveness of management’s own risk management functions (i.e., monitoring). That audit function should report independently to the Audit Committee of the Board of Directors with a direct line to the CEO or CFO. 27 | P a g e
in little insight into this information. The    future    should really be an indication of perpetuity as well as providen...

A robust compliance program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate effectively in tandem. Monitoring activities can occasionally lead to audits. For instance, if management identified a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to call Internal Audit, under legal privilege, to perform an evaluation of transaction compliance. Far too often, management looks to the Le gal, Internal Audit, or Compliance Department (if standalone from Legal) when something has gone wrong and says , “How could you let that happen? I thought you designed our program to keep us compliant !” What management is really ind icating is that they alone failed to monitor for process and transaction-level errors and use that information to improve their own environment. Conceptually, widgets produced and units sold are of equal importance to the business as actively managing its own people, processes, and systems – the key word being “manage,” which is sometimes taken for granted. Your management team should establish a monitoring system to identify issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Your compliance team can help, for example, by routinely checking with local finance departments in your foreign offices to see if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potentially improper activity in the countries they manage. Additionally, a Business Ethics and Compliance Committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about integrating compliance and ethics into your business. The concept of management executing, controlling, and monitoring is also inherent in tangential laws such as Sarbanes-Oxley (SOX). Responsibilities of the certifying officers under SOX are not too dissimilar from the FSG standards. Both require a defined program of internal controls that have established owners and are independently tested for proper design and performance. In fact, many of the internal controls subject to a SOX evaluation would be included in an FCPA program evaluation. For example, think of the “key control” that resides within the Accounts Payable department to evaluate the appropriateness of disbursements in accordance with an established approval authority matrix. While the two laws have separate objectives, the definition of the control and the nature of the test may be very similar. This is one of the reasons why the SEC plays a key role in FCPA investigations – it is to evaluate the internal controls over financial reporting and 28 | P a g e
A robust compliance program should include separate functions for auditing and monitoring. While unique in protocol, the t...

ability to prevent or detect fraud. The modern concept of “GRC” (Governance, Risk, and Compliance) would suggest that all such controls be maintained in a central database and tested as one rather than duplicating efforts. How you audit or monitor can vary considerably. “Old -school” methods of checklist-based auditing have some level of effectiveness, but cannot touch the power of modern, real-time dashboards. In our experience, we’ve designed data scripts that reside over the top of ERP systems and highlight significant red flags. They provide early warning systems over volumes of data that would simply be impractical for a human auditor to detect. Real-time dashboards might include: • • • • High discount levels in a particular country; Excessive entertainment receipts for a given employee; Significant margins on lower margin products; or, Higher commission rates or volumes, amongst others. Finally, as was re-emphasized with 2012’s Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. Pfizer ’s “Enhanced Compliance Obligations” included the following on investigative protocols: • • • • On-site visits by an FCPA review team, comprised of qualified personnel from the Compliance, Audit, and Legal functions who have received FCPA and anti-corruption training; A review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market; The creation of action plans resulting from issues identified during the proactive reviews. These action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and, A review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic. 29 | P a g e
ability to prevent or detect fraud. The modern concept of    GRC     Governance, Risk, and Compliance  would suggest that ...

Chapter 5: Marketing Your Anti-Corruption/Anti-Bribery Program A Compliance Department holds some degree of responsibility for marketing the company’s programs, both internally and externally (i.e., to in-house employees and applicable, out-of-house third party agents). This “compliance marketing function” educates both employees and third party agents on company and legal standards, processes for reacting to red flags, and methods for reporting violations. Successful “compliance marketing” consists of three key components: 1. Identify: Let your employees and third parties know what you stand for; 2. Incentives: Celebrate employee efforts; and, 3. Tools: Give your employees the tools to participate. Each of these concepts can play a key role in marketing your compliance program. Let’s review them in more detail. Identify - Let Your Employees and Third Parties Know What You Stand For In the recently published FCPA Guidance, the DOJ and SEC suggest that the basis of every anti-corruption/anti-bribery program is the Code of Conduct, as it is “often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Two primary goals of any Code are: 1. To document and clarify minimum expectations of acceptable behavior; and, 2. To encourage individuals to speak up when they have questions or witness misconduct. Incentives - Celebrate Their Efforts Once again, the recent FCPA Guidance speaks to employee’s incentives as of equal importance to disciplinary action s. Does your organization reward for ethical actions? The Guidance states, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many Guiding Principles of Enforcement forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Some organizations have made adherence to compliance a significant metric for management’s bonuses, much like quality and 30 | P a g e
Chapter 5  Marketing Your Anti-Corruption Anti-Bribery Program A Compliance Department holds some degree of responsibility...

safety, so that compliance becomes an integral part of management’s everyday concern.” It is important to “… make integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well.” This concept means going beyond incentivizing. To us, the word “celebration” implies a kind of public display of success. Financial rewards may be given in private, such as a portion of an employee’s discretionary bonus credited to doing business ethically and in compliance with the FCPA. Employees who are promoted for doing business ethically are very visible and can act as effective public displays of an operative compliance program. However, we think that a company can take this concept even further through a celebration to help create, foster, and acknowledge the culture of compliance for its day-to-day operations. Bobby Butler, Chief Compliance Officer (CCO) at Universal Weather and Aviation, Inc., has spoken about how his company celebrated compliance through an event labeled “Compliance Week.” He said that he and his team attended this event and used it as a springboard to internally publicize their compliance program. Their efforts included three separate elements: 1. They hosted inter-company events to highlight and celebrate the company’s compliance program; 2. They provided employees with a brochure that highlighted the company’s compliance philosophy; and , 3. They circulated a booklet which provided information on the company’s compliance hotline and Compliance Department personnel. Tools - Give Them Tools to Participate Obviously, a key component of any effective compliance program is an internal reporting mechanism. The FCPA Guidance states: “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The FCPA Guidance goes on to discuss the use of an ombudsman, or a watchdog of sorts, to address employee concerns about compliance and ethics. We do not think that many companies have fully explored the use of an ombudsman , but it is certainly one way to help employees with their compliance concerns. Interestingly, an interview in the Wall Street Journal, with Sean McKessy, Chief of the SEC’s Office of the Whistleblower, McKessy stated that, “What I hear is that companies are generally investing more in internal compliance as a result of 31 | P a g e
safety, so that compliance becomes an integral part of management   s everyday concern.    It is important to        make ...

our whistleblower program so that if they have an employee who sees something, they’ll feel incentivized to report it internally and not necessarily come to us.” Identity, Incentives, and Information are three useful tools that companies can use to effectively market their anti-bribery and anti-corruption program efforts. 32 | P a g e
our whistleblower program so that if they have an employee who sees something, they   ll feel incentivized to report it in...

Chapter 6: High Risk Areas to Watch You have arrived! You have created your compliance program in accordance with FSG § 8b2.1, so you’re good to go, right? Now all you need to do is sit back and conduct your overseas business with confidence… right? Well, not quite. First, let’s first discuss some high -risk areas that deserve additional attention. As with all other aspects of your business, you are dealing with human beings. When dealing with human nature, the one thing you know for sure is that the potential for disaster always exists. People make mistakes. This chapter provides a partial list of those higher risk areas to actively manage. Travel, Entertainment & Gifts Let’s assume that your company does not want to fund a multi-year, multi-million dollar bribery scheme violating both its own Code and the FCPA. That’s reasonable, right? In this case, how do you best protect your firm when issuing funds for commissions, traveling, entertainment, and gifts? Can you demonstrate an internal control structure that provides real-time visibility into red flags in the expense process? Or, are you counting so lely on the detective skills of your Accounts Payable department? Let’s take a look by examining some fundamental legislation, statements, and ideas. A. FCPA Guidance The DOJ/SEC FCPA Guidance clearly specifies that the FCPA does not ban gifts and entertainment. Indeed the FCPA Guidance specifies the following: “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.” B. Opinion Releases Prior to the FCPA Guidance, in 2007, the DOJ issued two FCPA Opinion Releases which offered guidance to companies considering whether, and if so how, to incur travel and lodging expenses for government officials. Both Opinion Releases laid out the specific representations made to the DOJ, which led to the Department 33 | P a g e
Chapter 6  High Risk Areas to Watch You have arrived  You have created your compliance program in accordance with FSG    8...

approving the travel to the U.S. by the foreign governmental officials. These facts provided strong guidance to any company which seeks to bring governmental officials to the U.S. for a legitimate business purpose. In Opinion Release 07-01, a company desired to cover the domestic expenses for a trip to the U.S. for a sixperson delegation of an Asian government for an educational and promotional tour of a U.S. facility. In the Release, the representations made to the DOJ were as follows: • • • • • • A legal opinion from an established U.S. law firm, with offices in the foreign country, stating that the payment of expenses by the U.S. company for the travel of the foreign governmental representatives did not violate the laws of the country involved; The U.S. Company did not select the foreign governmental officials who would come to the U.S. for the training program; The delegates who came to the U.S. did not have direct authority over the decisions relating to the U.S. company’s products or services; The U.S. Company would not pay the expenses of anyone other than the selected officials; The officials would not receive any entertainment, other than room and board , from the U.S. Company; and, All expenses incurred by the U.S. company would be accurately reflected in said company’s books and records. The response from the DOJ states: “Based upon all of the facts and circumstances, as represented by the requestor, the Department does not presently intend to take any enforcement action with respect to the proposal described in this request. This is because, based on the requestor's representations, consistent with the FCPA's promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the requestor's] products or services." In Opinion Release 07-02, a company desired to pay the expenses for a trip within the U.S. for six junior -to-mid-level foreign officials for educational purposes at their U.S. headquarters. This educational trip was to be conducted prior to, but in tandem with, the foreign official’s attendance at a six-week internship on foreign insurance, sponsored by the National Association of Insurance Commissioners (NAIC). In the Release, the following representations were made to the DOJ: • • The U.S. company would not pay the travel expenses or fees for participation in the NAIC program; The U.S. company had no “non-routine” business in front of the foreign governmental agency; 34 | P a g e
approving the travel to the U.S. by the foreign governmental officials. These facts provided strong guidance to any compan...

• • • • • • • The routine business it did have with the foreign governmental agency was guided by administrative rules with identified standards; The U.S. company would not select the delegates for the training program ; The U.S. company would only host the delegates and not their families; The U.S. company would pay all costs incurred directly to the U.S. service providers and only a modest daily minimum to the foreign governmental officials based upon a properly presented receipt; Any souvenirs presented would be of modest value, with the U.S. company’s logo; There would be one four-hour sightseeing trip in the city where the U.S. company was located; and, The total expenses of the trip were reasonable for such a trip and the training which would be provided at the home offices of the U.S. company. As with Opinion Release 07-01, the DOJ ended this Opinion Release by stating, “Based upon all of the facts and circumstances, as represented by the Requestor, the Department does not presently intend to take any enforcement action with respect to the planned educational program and proposed payments described in this request. This is because, based on the Requestor's representations, consistent with the FCPA's promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the Requestor's] products or services." 15 U.S.C. § 78dd-2(c)(2)(A).” C. Travel and Lodging for Governmental Officials What can one glean from these 2007 Opinion Releases? Well, it would seem that a U.S. company can bring foreign officials into the U.S. for legitimate business purposes. The Releases also indicate that the following tenants of a Compliance Program should be present: • Policies and procedures should be established for the company’s travel and lodging standards; • • Any reimbursement for airfare should be for economy class; The particular officials who will travel cannot be selected (that decision should be made solely by the foreign government); Only the designated officials may be hosted, not their spouses or family members (unless the latter are paid for by the foreign government or the families themselves); • 35 | P a g e
                             The routine business it did have with the foreign governmental agency was guided by administr...

• • • • All costs must be paid for directly to the service providers – in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt; Any souvenirs you provide to the visiting officials should reflect the business and/or its logo and should be of nominal value (e.g., shirts or tote bags); Apart from the expenses identified above, the foreign government and/or officials must not be compensated for their visit. You may not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money; and, The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company. Incorporation of these concepts into a Compliance Program is a good first step towards preventing any FCPA violations from arising; however, it must be emphasized that they are only a first step. These guidelines must be coupled with the active training of all personnel. This training must span not only your compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated with respect to gifts and entertainment. Lastly, it is imperative that all such gifts and entertainment are properly recorded, as required by the books and records component of the FCPA. The FCPA Guidance provides examples of improper travel and entertainment; some examples include: • • • • A $12,000 birthday trip for a government decision-maker from Mexico , including visits to wineries and dinners; A $10,000 budget spent on dinners, drinks, and entertainment for a government official; A trip to Italy for eight Iraqi government officials, consisting primarily of sightseeing and includ ing $1,000 in “pocket money” for each official; and, A trip to Paris for a government official and his wife, consisting primarily of touring activities via a chauffeur-driven vehicle. Gifts, travel, and entertainment continue to bedevil companies in FCPA compliance. However, in many ways, they are the most straight-forward and process driven components of any compliance regime. If you can put the appropriate standards in place and monitor them in real-time with visual dashboards (via your ERP system), your risk of non-compliance in this area will be substantially reduced. 36 | P a g e
                  All costs must be paid for directly to the service providers     in the event that an expense requires r...

Distribution Risk As noted in Chapter 3, a common method of product movement includes the use of distributors. Distributors are common to commercial and consumer products. Distributors differ from other types of sales “representatives” as they take title to products and assume risk of loss. If there was ever a question that distributors were covered under the FCPA, the DOJ has made it clear that this class of entities could be treated the same as any other sales agent (e.g., representatives), reseller, or any other entity which sells a U.S. company’s products outside the United States. While the terms “agent,” “reseller ,” and “distributor” have distinct definitions in the legal world, they no longer have such distinctness for F CPA purposes. The question is, “How do you fit distributors into your compliance program while still giving the business distinctions unique to their relationship with your company?” Let’s start with a risk assessment. What do you know about the entity? How long have you done business with them? What is the nature of their financial backing, market, and customer base? Do they work with third parties? Are they representing you to pull sales through the channel and eventually to international sources? The goal should be to determine which distributors are the most likely to qualify as agents, for whom the company would likely be held responsible. This represents a continuum of risk. On the low-risk end , you have domestic distributors that are essentially domestic resellers with little actual affiliation with the supplier company. On the high -risk-end, you have domestic or international distributors who are very closely tied to the supplier company. These distributors effectively represent the company in the market and end up looking more like a subsidiary than a customer. They may or may not sell to both domestic and international buyers. Some of risk factors to consider include: • • • • • The volume of sales made to the distributor and the nature of markets served (e.g., domestic vs. international); Whether an agreement exists that explicitly prohibits the distributor from markets to whom the company would not otherwise sell (creating an opportunity to circumvent establish ed company policy); The percentage of the distributor’s total business sales that the principal’s product represents; Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and, Whether the principal company is involved in the running of the distributor’s business through activities like training the distributor’s sales 37 | P a g e
Distribution Risk As noted in Chapter 3, a common method of product movement includes the use of distributors. Distributor...

agents, imposing performance goals and objectives, or providing reimbursement for sales activity. Once a company identifies its high -risk distributors, FCPA compliance procedures can be tailored and shared appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training, and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk -adjusted liability are perfectly appropriate. Management of the Distributor Relationship Once you evaluate your distributor and ink a contract, your real work begins. You have to manage that relationship going forward . As do all things in business, price, cost, discounts/commissions, and margins need to be determined. A legal contract may or may not set these parameters. Regardless, organizations should consider the formal means by which they determine how pricing and discounts are offered to a distributor. For this, business organizations might consider the use of a formal Discount Authorization Request (DAR) form. To do this, a DAR template should be prepared, which is designed to capture the particulars of a given request and allow for an informed, independent, and objective decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation justifying the elevated discount. In addition, the DAR template should be designed to identify gaps in compliance that may otherwise go undetected. The next step is the creation of channels to evaluate DARs. The precise structure of that system will depend upon several facto rs. I deally, the goal should be to allow for tiered levels of approval. Three levels of approval are sufficient, but these can be expanded or contracted as necessary. A general rule of thumb to observe is that the greater the potential discount, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently. The last step is collecting and organizing your evidence of d ecision-making. Remember, to document, document, document. Once the information -gathering, review, and approval processes are formulated, there should be a system set in place to track, record, and evaluate information relating to DARs. This includes DARs both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are 38 | P a g e
agents, imposing performance goals and objectives, or providing reimbursement for sales activity. Once a company identifie...

increasing, whether the standard discount range should be raised or lowered, and provides companies the ability to gauge the level of commitment to FCPA compliance within business operations. This information, in turn, leaves companies better equipped to respond to government inquiries down the road. This approach has merit because it follows what is set out in the 2013 DOJ/SEC FCPA Guidance, which we will quote from the introductory section of the “Ten Hallmarks of an Effective Compliance Program ”: “Compliance programs that employ a ‘check-the-box’ approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, imp lemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will a llow the company generally to prevent vio lations, detect those that do occur, and remediate them promptly and appropriately.” Email, Email, and Hopefully Less…..Email From the standpoint of your company’s litigation exposure, not much can be more dangerous than its own email history. Why is that so? Well, email is not like contracts, you might say. First, email is forever. You can’t shred email. Even deleting email really just rids a local computer of it; email is backed up and stored on multiple, redundant servers and is nearly always 100% recoverable for an investigation. One of the first things that the regulators will look at is email, as they’ll want to understand the discussions that were had, what was committed to and so forth . Whether we’re talking about FCPA or any other source of potential legal risk, email has become a very dangerous mechanism in the corporate world. Second, emails are primarily formatted in a casual manner. It’s more like a phone conversation in content—quick snapshots of arrangements to be followed up by a contract or sales order. In many ways, it’s the assumed casual nature of email exchanges that can make them extremely dangerous in their relation to the FCPA. As we discussed earlier, the FCPA concerns itself not only with the act of bribery, but also the intent to commit bribery. For example, if a member of your sales team were to write an email to a foreign official regarding a competitive request for a bid and say, “I’ll make it worth your while if you put us at the top of the heap ,” this is incriminating. Even if the deal was never done, it’s still as bad as if there 39 | P a g e
increasing, whether the standard discount range should be raised or lowered, and provides companies the ability to gauge t...

had been an actual bribe. The intent to bribe is permanently documented in that email. Now, think about the thousands, perhaps hundreds of thousands of emails that are sent every day to and from your company. Now imagine the casual language and slang that are undoubtedly used to some degree in their contents. Think about the marketing-oriented language of discounts, sales, and free goods. The words that we use in email are generally not “contract language,” and they can become very dangerous when taken out of context. So what’s the take away here? There are several that relate directly to email: • • • Invest the time to have solid controls around the proper and professional use of email in your organization; Educate your workforce about this proper use and reinforce it with ongoing training; and, Determine (on advice of counsel and other knowledgeable parties) what an appropriate retention program is and only keep emails archived for the shortest time allowable. The bottom line is that email can be one of the most dangerous pitfalls you and/or your company face from a legal perspective. Pay close attention to how you use it and control its use in your organization. Bartering Bart ering is a type of pitfall that isn’t necessarily akin to bribery, but could definitely bring your company down the proverbial “slippery slope.” Let’s say that you’re in a oil and gas business and you need something done in a market—a onetime event that might lead to an ongoing arrangement or contract. The third -party agent you’re working with wants to be paid in product, not cash. Good deal, right? He will get greater value in product than he would in cash, and you’ll save money! Well, wait a minute. Red flags should be flying high right now. How do you substantiate such a transaction? There is no formal contract that spells out the terms of the deal or establishes the value of the products or services. The potential for trouble abounds in circumstances of bartering. Free or Promotional Product If you’ve ever been to an industry convention, you’ve probably seen plenty of free, promotional material given out. But wait, couldn’t this be seen as a bribe? Well, let’s take a few steps back first. 40 | P a g e
had been an actual bribe. The intent to bribe is permanently documented in that email. Now, think about the thousands, per...

There are several types of free or promotional products that need to be considered. First, are the promotional “trinkets” that are given out by sales forces everywhere—free hats, pens, coffee mugs…things of that nature. Most of the time, gifts given in this manner are too insubstantial to really exert much influence an individual. But, as with most things, this depends on the nature, extent, and context of the “promotional” gift. Handing out hats with your company logo isn’t a big deal. But if you were to fully outfit an entire foreign police department with product from your consumer clothing business, well that’s a different story. Free and promotional products, when used properly, are a tried -and-true means of marketing your business and product. Unfortunately, it’s also a very slippery slope with blurred lines. We suggest you always err on the side of caution when disseminating free gifts, even when for entirely benign, legal purposes. The next type of free product is the “evaluation sample.” This is when you disseminate trial versions of your product as a means of demonstrating its merit. For instance, let’s say you have submitted a competitive proposal on a bid with multiple companies competing. You decide that because you believe the experience of your product is superior, you want to send a sample of the product to the potential client. In order for it to not be considered an “intent to influence” violation, it must be clear that the product is a review sample and it must be returned to the company. You are then responsible for following up and making sure that the trialed product is returned. The third type of free product is the “buy ten and get five free” type of promotion. In reality, it’s not much different than just lowering the unit price and that cash difference could, in some cases, be considered a bribe. Again, in situations like this, nature, extent, and context are everything. Companies run promotional campaigns like this all the time to boost sales and increase brand -awareness. Why? Well, because it works! However, if you’re offering a “buy one get twenty free” campaign exclusively to a particular, high -interest individual, don’t expect that excuse to fly. Discounts and Sales Commissions Sales commissions can be a very risky area, especially when you are dealing with contract or third-party agents in foreign markets. Let’s say you have a third -party sales agent operating for you in Russia. Your goal is to ultimately sell your product or service to the Russian government. Given the culture of Russia, your third -party requests a little something to “sweeten the deal.” If you wanted to commit bribery (and conceal it) to effectively lock in that particular sale, you might artificially inflate the sales commission to that third-party sales agent. In this manner, the marginal increase in sales commission would act as an effective bribe. This might also happen without your knowledge, as it very well may be the way business is 41 | P a g e
There are several types of free or promotional products that need to be considered. First, are the promotional    trinkets...

done in that particular culture. What might be acceptable as commission in one country might not be in another. The important thing is to set a commission structure, document it, and stick to it. Discounts can be another very risky area that requires careful documentation and a consistent policy. For example, if you are selling directly to a government entity and give that entity an inordinate discount, it operates in the same manner as a bribe. It’s no different than giving that customer cash. Split Transactions Split transactions can be a real can of worms. The legality of split transactions is fundamentally quite complicated. Let’s look at an example. Let’s say you have a sales agent in Canada. He executes a sales contract for you and instructs you to send 50% of the commission to him and the other 50% to his brother in a different location. If you don ’t know what role his brother played in the transaction (or if he played any role at all) , then you‘re going to have a harder time convincing a government investigator of the transaction’s legitimacy. From an investigator’s perspective, those commission dollars look suspiciously like a bribe. Ultimately, you can legally use split transactions. However, you have to be able to substantiate and verify the reason behind it. When engaging in split transactions, understand that the burden of proof irrevocably rests upon your shoulders in the event of an investigation. Tax Evasion The same caution that applies to split transactions can apply to tax evasion. It’s possible that an overseas third-party sales agent would want to have all or part of their commission sent to another location in order to circumvent their own country’s tax laws. This isn’t necessarily bribery, but it will certainly raise the eyebrows of an investigator. It also serves as another example of the necessity of a constant awareness and supervision of those who are working for you overseas. Third Parties Making Decisions for You In an effort to wrap up the pitfalls section, we’re going to step back real quick and finish the section with some broader, more encompassing concepts. The most important takeaway from all of this is that, as a leader of your organization, you should be cautious when allowing third parties—whether they be your sales agents or government officials—make decisions for you in a foreign market. For the most part, those sales agents and/or foreign officials will not be held accountable for whatever actions they take on your behalf ; you and your company most certainly will. Two things that you must remember are: 42 | P a g e
done in that particular culture. What might be acceptable as commission in one country might not be in another. The import...

• • You need to make sure that all monies, discounts, or gifts that are given are relevant to the nature of the transaction, the environment, and the work that’s being performed for you; and, You must substantiate exactly where the money is going. You must document it with a contract. If, for example, a foreign government says it needs free product because it’s part of their quality testing procedures, that needs to be an explicit part of the contract. Because of the globalization of business, organizations—and not just the big ones—are becoming increasingly distributed. This is in part, no doubt, to an increase in outsourcing. Regardless, and as a function of this, businesses are becoming increasingly decentralized. It’s far easier for a CEO to set the rules for one group of ten buyers in one location than it is for him to set the rules for five groups of two buyers in five different locations. This is especially so when you consider his or her obligations to monitor their activities. Organizations that attempt to operate in multiple countries with multiple transaction and/or decisionmaking points are at heightened risk. Consequently, organizations like this are in greater need of the protection of a robust compliance and monitoring program. 43 | P a g e
         You need to make sure that all monies, discounts, or gifts that are given are relevant to the nature of the trans...

Chapter 7 – Leveraging Internal Controls to Mitigate High Risk Areas Internal control concepts aren’t always given the utmost degree of respect or priority, despite the fact that they are designed primarily to protect corporate officers, shareholders, and general stakeholders. We’ve actually heard clients say, “Our counsel provided F CP A training, so I think we’re okay. Accounting takes care of our internal controls.” Statements like this are red flags, as they demonstrate an unsophisticated attitude towards compliance. This general lack of expertise can manifest itself in intensely dangerous ways. We assume that you are now familiar with the core tenants of FSG § 8b2.1 and recognize that training is but one small element in a program. In addition, remember that that even training and internal controls together don’t constitute a full-fledged compliance program. Thin k about it in the follow ing contextual driving example . Let’s say you ’re new to driving. You’ve never driven by yourself before, but you’ve been provided automobile operator train ing. You now think you know what you’re doing, but you’re still a little unsure. Well, regardless of what you do, there are still a number of technological and mechanical features that serve as controls to lim it error. F or instance, let’s say you’re on the highway and you accidentally bump into the gearshift. Game over, right? Well, no. The car company was provident enough to design the system against accidents like that. In order to shift the car from Drive, the car has to be still and the driver’s foot must be on the brake. This is an example of an internal control. The car company trusts its drivers, but only so far. In order to maxim ize the safety of their vehicle, and min im ize the risk of driving it, the company designed a myriad of failsafe mechanisms to prevent a single incident from causing disaster. Internal controls work the exact same way for your company. A well designed and optim ized set of controls not only increases transactions activity but makes it safer. Training your personnel on FCPA, U.K. Bribery Act, and/or broader anticorruption /anti-bribery responsibilities is a fantastic start. But it’s only a start. How does your Accounts Payable Department know that a sales commission to be paid to an international agent actually matches the original contract signed by your executive team? Because your sales team said, “OK to pay?” Without proper internal controls, your business could suffer from a lack of guidance and direction. While you can train your employees to operate efficiently and ethically, you still have to set controls in place to ensure that these ideals of 44 | P a g e
Chapter 7     Leveraging Internal Controls to Mitigate High Risk Areas Internal control concepts aren   t always given the...

ethics, efficiency, accuracy, and compliance are continually put into practice. Internal controls will allow you to place trust in not only your employees, but also in a number of failsafe systems set in place within your operations. This way, if a single “system” fails, another will take its place. Let’s review some quick points about effective internal controls. Effective internal controls: • • • • • Are essential to the long term success of not only a compliance program, but your business as a whole; Relieve some of the stress associated with the ongoing management of both employees and third parties; Provide greater confidence that financial and managerial reports required by DOJ and SEC are accurate; Provide reasonable boundaries in which employees and third parties can operate; and, Add to the overall health and success of a company. Truth be told, internal controls are occasionally viewed as a set of burdensome rules and procedures (or added bureaucracy), which are designed to constrain how a person conducts business. This couldn’t be further from the truth. In reality, internal controls are essential building blocks of your Enterprise Risk Management structure. Internal controls promote a culture of honesty, so that individuals do not cheat or steal from the company. Internal controls helps drive data integrity so that reporting tells an accurate story about the transactions being executed. They will also not only increase your ability to monitor the processes of your business, but, in doing so, increase your employees’ and hired third-parties’ understanding that they are responsible for their actions. Every FCPA enforcement action on record (that we could find) indicated some lack of internal controls, the extent to which directly impacted fines, penalties, settlements, and time served. Had proper internal controls been set in place, the severity of these consequences would likely have been lessened, and in many cases could have been avoided altogether. While most compliance practitioners will certainly be familiar with internal controls as mechanisms of detection, the best internal controls help to prevent compliance violations before they happen. Internal controls are a “structure of checks and balances” that can : 1. Compensate for human ethical weakness; and, 45 | P a g e
ethics, efficiency, accuracy, and compliance are continually put into practice. Internal controls will allow you to place ...

2. Provide necessary support to individuals of integrity who are facing unethical behavior. More specifically, internal controls provide assistance to compliance regimes. In other words, they are designed to not only prevent cheating but promote doing business ethically. They’ll also aid you in the swift detection of any compliance violations that are occurring behind closed doors. Internal controls work by helping to set the expectations of the ethical behavior which are required of a company’s employees. They do so in a couple of ways. First, they narrow the scope for unethical behavior. They do this in tandem with an increase in the risk of discovery and punishment. Having internal controls in place also acts to train employees in proper practice and procedures. In their constant guidance by management-implemented control systems, employees will begin to act compliantly reflexively. Internal controls can also help protect employees who report unethical behavior. This final point is not to be discounted when considering the Dodd-Frank and Sarbanes-Oxley Whistleblower protections and the Dodd-Frank whistleblower bounty. Lastly, internal controls aren’t necessarily about rules and regulations as much as they’re about a company’s operating culture. A commitment to internal con trols is a commitment to doing business the right way. You’ll find that by establishing and celebrating a culture of ethical business, these values will become instinctual and self -fulfilling. By making compliance an eminent foundation of your business, employees will adopt compliant attitudes in the workplace; these attitudes will further feed the culture of your business. Internal controls are a vital aspect of this process. The most effective controls are those embedded “in the line” of a transaction. This means that they are being used directly by line management and not simply the company’s finance or accounting group. In this manner, such internal controls have become the responsibility of management and not simply a corporate function, like Internal Audit. Furthermore, when management is allowed to believe that Internal Audit “owns” its internal controls (which they do not), an “us against them” mentality can develop. Internal controls are management’s tools, not Internal Audit’s. It is management’s responsibility to design, implement, and execute internal controls with Internal Audit’s guidance as needed. Audit’s primary responsibility is to assess the design and effectiveness of those controls in the company’s pursuit to follow the original four areas as provided in the Framework of the Committee of Sponsoring Organizations (COSO) of the 46 | P a g e
2. Provide necessary support to individuals of integrity who are facing unethical behavior. More specifically, internal co...

Treadway Commission. That is, internal controls should be designed to assist the organizations ability to: • • • • Execute strategic plans; Operate efficiently and effectively; Produce accurate financial and managerial reports; and, Maintain compliance with policies, procedures, and applicable laws. What executive wouldn’t be in favor of something that helps achieve his or her personal, financial, and professional process goals? As with a “safety f irst” doctrine, successful management teams have determined that the activities elevated with internal controls are critical to efficient and effective operations. With everyone working under predetermined and prescribed principles of guidance, a sense of unity and camaraderie will quickly develop between strategy teams, departments, and co-workers. Simultaneously, a company implementing effective internal controls will tremendously mitigate its risk and liability. Some of the positive contributions that internal controls provide include: • • • • Limitation of asset loss from employee or third party theft; Limitation of single point failures in management behavior by requiring segregated duties and cross-functional review; Preservation of accurate information allowing management to better run its business; and, Limitation of claims, judgments, lawsuits, and monetary damages. Think, just for a minute, that the cost of an FCPA violation could be millions of dollars. The financial stakes of potential lawsuits or theft could be even higher. How much less would you have spent on effective internal control assessment and design to begin with? Simply put, internal controls are the governors that increase your likelihood of a successful outcome, not much different than the feature in your car that prevents a sudden, unwanted change from Drive to Reverse. They’re your safety net, the automatic antivirus-software that continuously monitors your PC. With robust and efficient internal controls set in place, the efficient operation and financial buoyancy of your operations no longer exclusively hinge upon the vigilance of your employees. Okay, okay. So internal controls are good —you get it. Now you want to know a little bit about how to implement them, right? Well, consider the following internal controls as tools to reduce higher risk areas of your anti-corruption /anti-bribery program. 47 | P a g e
Treadway Commission. That is, internal controls should be designed to assist the organizations ability to                 ...

Third Parties • • • Always conduct due diligence of third parties prior to engaging in a relationship. Due diligence should be independently spot-checked as part of a recurring audit program. Make sure to verify all third-party business entities, including their physical domicile and in-country business bank account(s). Ensure that written obligations exist describing a requirement to comply with the Company Code of Conduct, anti-bribery/anti-corruption laws. In addition, make sure to execute any necessary training of employees. Gifts/Hospitality, Travel and Lodging • • • Conduct pre-approval of the amounts of fered to third parties to ensure they aren’t offered questionable gifts in the midst of competitive procurement. Make sure that invoices/receipts are itemized and approved prior to reimbursement. Establish written obligations for compliance with local law and define that no items be offered to influence decisions. International Disbursements/Commissions • • Establish a process of pre-approval and matching for disbursements related to commissions or marketing expenditures prior to disbursement. Matching should consist of ties to an original contract, verifiable receipts, and internal approvals to issue funds. Strictly prohibit payments in cash or to private accounts. Pricing, Discounts, and Commissions • Establish worldwide pricing and commission thresholds. Deviations from such standards or the offering of free product should be approved by a cross-functional group. Any modifications must be re-routed for signature. Order Fulfillment • Establish system-related internal controls that prevent the fulfillment of an international order prior to clearance under the due diligence process. These are all examples of strong internal controls. By fundamentally aiding their ability to manage and lead, internal controls not only directly aid the company, but its employees as well. Internal controls aren’t just about protecting Corporate’s 48 | P a g e
Third Parties               Always conduct due diligence of third parties prior to engaging in a relationship. Due diligen...

best interests. Internal controls are helpful for all members of an organization. Sure, they help manage a company’s risk, but when you consider the fact that internal controls also aid middle and lower-tier employees by guiding them in their day-to-day efforts, a sounder picture begins to develop. Simply put, there is no exclusivity on the benefits reaped by well-maintained internal controls; internal controls help everyone do their job better. That’s why they’re so important. 49 | P a g e
best interests. Internal controls are helpful for all members of an organization. Sure, they help manage a company   s ris...

Chapter 8: When the Government Comes Knocking Knock. Knock. You get a call one day and a representative of the Federal Government tells you that you and/or your company is being investigated for alleged bribery under the Foreign Corrupt Practices Act. Don’t panic! Here’s what happens and some guiding thoughts. Determine Who Is Investigating You The DOJ is the government agency that has ultimate jurisdiction in FCPA cases. However, there are typically several other agencies involved. Sometimes, investigations are handled exclusively by the DOJ. However, extensive cases, or those that involved undercover work, may require the oversight of the Federal Bureau of Investigations (FBI). In addition, it is likely that the SEC would follow up to investigate any books and records violations. In other countries, an investigation could be subject to the local government and its laws. For example, an investigation under the U.K. Bribery Act might be led by the UK Serious Fraud Office (SFO). Regardless, your first step is to establish exactly who is investigating you. Hire Counsel Hiring an attorney is a critical step in the investigative process. This is to ensure you are properly represented and that matters related to the investigation remain privileged and confidential. Ideally, you should hire a firm that is experienced in e-Discovery and anti-bribery/anti-corruption investigations. You also want said firm to have considerable experience in both forensic evaluation and matters pertaining to the SEC. So, while your first reaction might be to call your existing corporate counsel, such reaction might be a mistake. You need a firm that has depth and breadth to cover the wide range of aforementioned areas. Independent counsel can be hired by the executive team, your General Counsel, or the Board of Directors. This decision is highly dependent on who is being investigated and what the investigation is about. In most public company investigations, it is advisable for a party furthest from the management action to retain counsel ( e.g., the CEO and /or the Board). It is likely that the DOJ may not have the extent of resources needed to conduct a thorough and extensive investigation on their own. To guide the process along, you should consider your use of independent council and the earnestness of your cooperation. Full cooperation with the DOJ and the retention of independent counsel that can perform an investigation on the DOJ’s behalf is often met with 50 | P a g e
Chapter 8  When the Government Comes Knocking Knock. Knock. You get a call one day and a representative of the Federal Gov...

positive response. However, just because counsel was retained by the organization, that does not permit the concealment of potentially pertinent information. Transparency and full disclosure, where applicable, is a given and should be handled appropriately by your counsel. Isolate Your Possible Issue If you suspect (even without full evidence) that a violation exists, it is important to isolate the cause of the potential violation. Any action the company takes in response should be carefully considered in the context of the investigation. However, if one of your employees was charged, you may chose to put that individual on administrative leave. If a severe situation develops, it is advised to stop all deals with selected third parties and/or sales to a particular government. If you chose to continue your business endeavors during the investigation, methods should be established to ensure transactions are compliant then and in the future. Obviously, any transactions made will be under heightened scrutiny during a Federal investigation. During the course of the investigation , and for a period thereafter, it may be a good idea to elevate your internal controls beyond normal, practical operating standards. Think of your business like a sports team. Typically, during practice, you want to ensure you’re playing by the rules. But when it’s game-time, the rules carry an additional importance. When the officials are watching and the cameras are rolling, you’re going to want to make sure that the rules are a top priority. Obtain an Independent Assessment of your Program Alright, so you know who’s investigating you, you’ve hired counsel, and you’ve identified the potential sources of the violation. Now, it’s time to assess where you stand. Your counsel will likely hire a creditable audit firm that can be used to independently evaluate your organization’s transactions and internal controls. These reports should be provided directly to counsel and be maintained under privilege. More importantly, this will likely become the foundation of your future remediation project plan. An independent evaluation could be quite exhaustive and consist of aggregating multiple years of transaction activity. To whom did the company make sales pitches? To whom did it sell product? Who contacted the company? What were the details of all deals made? Which third parties were active in each engagement? What discounts were given? Who authorized them? Yes, it’s a long list. But the information gained from each and every one of these questions is indispensable. You need to catalog everything: the flow of funds, as well as all paper and electronic communication. This is the backdrop and environment from which you 51 | P a g e
positive response. However, just because counsel was retained by the organization, that does not permit the concealment of...

want the investigation to proceed. The investigation can go in multiple directions, but the two most likely courses that the DOJ will take are to: (1) follow the money; (2) follow the communications. Because, at its base, the FCPA and U.K. Bribery Act are about bribery, following the money is critical. Your investigation could look at deals consummated , deals not consummated, and all of the details therein. They might not just look at the flow of the money, but how approvals were documented and how the transactions were recorded. This could starts with the request for bid, the initial quote given, the pricing offered versus what was paid, what was offered in addition to pricing, and whether or not a formal contact was established. They may also look at all the communications related to establishing the deal. This may come down to individual emails. Were there any planned or unexpected trips back and forth during the course of the deal? Were any gifts given? Travel and entertainment reports could be examined to see if money or gifts were used for inappropriate purposes. After a deal was consummated, was the company paid in a timely fashion ? Where did the funds originate? When were the commissions paid? What type of documentation suggests the payment of commissions? Were the commissions sent to the business address or a home address? Were they split? Remember, these are all questions that have to be answered for a single deal. You can see how arduous and time-consuming a process this becomes from the perspective of the company under investigation. Part of the investigation may include an examination of archived email history. This could include a number of searches related to terms related to the particular deal. For instance, popular searches might be for the country name, the salesperson’s name, the name of the product, and keywords like “discount” or “bribe.” As evidence is slowly pieced together, a cohesive picture could slowly develop. Expectations for Length and Outcome of the Investigation DOJ investigations are laborious. Often, the official investigation will continue for several years after all of the actual investigative activity has been concluded and all results have been shared. Even though they have nothing more to ask, the DOJ has limited resources and will take its time as needed. They are going to tend to gravitate toward the largest or most probable cases, so their resources could shift around. Expect an investigation to be protracted and painful. In all likelihood, the requests from investigators won’t cease until the investigation’s end. A number of potential outcomes could come from the investigation. One is that nothing happens (cross your fingers for this one). The others span the gamut of 52 | P a g e
want the investigation to proceed. The investigation can go in multiple directions, but the two most likely courses that t...

potential legal ramification. In some cases, fines will be charged to the employees and officers responsible—these are fines for which the organization may not pay. Fines may also be levied against the organization itself. In situations, implicated parties may be imprisoned. In the very severest of circumstances, the government may appoint a “monitor” who is assigned to oversee all activities at your company for a specific time, usually between two and four years. 53 | P a g e
potential legal ramification. In some cases, fines will be charged to the employees and officers responsible   these are f...

Chapter 9: What Does It All Mean? Paul McNulty—former Deputy Attorney General—often cites three questions he would ask a company under inv estigation by the DOJ: 1. What did you do to prevent it? 2. What did you do to detect it? 3. What did you do after you found out about it? The FCPA Guidance phrases these three points of emphasis slightly differently, encouraging the tripartite of prevention, detection, and remediation in the framework of your anti-corruption compliance program. The cost associated with a failure to receive a “passing grade” on any of these questions can be astronomical. This past year, two more companies entered the list Top Ten of alltime FCPA settlements: Total S.A, ranking in with $398 million in fines, and Weatherford International with $152.2 million. That’s a lot of money. The largesse of these fines mirrors a growing, global and popular sentiment against bribery and corruption. In other words, while the considerable size of these fines demonstrates extensive FCPA violations, it also demonstrates direct and extensive efforts to fight bribery and corruption on a Federal level. The size of these fines not only sends a message to the corporations to whom they are levied, but also to all other would-be violators: the United States does not take bribery and corruption lightly. What’s more, this general trend extends far beyond the boundaries of the United States. For example, consider our past references to the Chinese enforcement action against the British company GlaxoSmithKline in 2013. Here, Chinese authorities introduced and enforced their own country’s domestic anti-corruption laws, not a foreign -focused law such as the FCPA. This demonstrates a genuine and uncontrived eagerness to battle corruption in the global market. No longer does the United States stand out as one of few nations who staunchly stand against bribery and corruption. Anti-corruption is now a global initiative. The individual perspective of anti-corruption and due process is of an equal importance. After all, a good deal of bribery and corruption occurs on an individual, not corporate, level. However, even the most honest individuals may become involved in something not-so-honest, either out of ignorance or just plain bad luck, and the policies in many countries do not favor innocent bystanders. For many western ex-pats who are considering working in internationally, this may cause them to rethink whether or not they are willing be stationed in the country for fear of being caught up in another country’s judicial system, which is a system not known for protecting individual due process rights. This factor cannot be 54 | P a g e
Chapter 9  What Does It All Mean  Paul McNulty   former Deputy Attorney General   often cites three questions he would ask...

overstated – because being imprisoned in a place like China is near the top of just about anyone’s list of things you never want to experience. Remember at the beginning of this book when we asked you to take out a piece of paper and a pen and document your answers to selected questions? Now, let’s do that again. This time, we’re going to provide the answers that we’ve presented you throughout this book. Before you look to see what we’ve written, try it out on your own. By comparing the answers you’ve written by memory and those we’ve provided below, you’ll be able to identify any areas that you might want to revisit. How does your organization limit the risk of non -compliance? Can you list the controls? We limit the risk of non -compliance with a multi-faceted program that includes a balanced set of internal controls. These include: • • • • • A program that meets or exceeds the expectations set forth in the Federal Sentencing Guidelines’ “Effective Compliance and Ethics program ”; Detailed company policies and substantial in -person and on -line training delivered through a corporate university; In-depth vetting of third parties and high risk transactions; Independent, cross-functional review of high risk disbursements; and, A Business and Ethics Council and an appointed leader of compliance. Do you know what the prevailing standard and U.S. Government’s expectations are for a compliance program? Yes, those standards include, paraphrased: • • • • • • • Leadership and Tone from The Top A Commitment to Compliance – Beyond the Tone Measurement: Set at Zero Tolerance; There is No Materiality Standard for Corruption and Bribery Standards and Procedures Education and Training Efforts to Exclude Prohibited Personnel – Due Diligence Validation and Oversight Can you point to (or touch) your compliance program? What about your Ethics Program? Yes. It is documented in our anti-corruption/anti-bribery program. This can be found on our corporate intranet and it is delivered via in -person training to our staff 55 | P a g e
overstated     because being imprisoned in a place like China is near the top of just about anyone   s list of things you ...

on an annual basis. Our Ethics Program is maintained by our Ethics Counsel and led by our CEO. She has a copy of the Code of Conduct and supporting activities of the organization. How do you mitigate the risk of bribery? We mitigate the risk of bribery through a series of policies, preventive and detective internal controls, and an employee training program. These are monitored independently on a periodic basis by our Internal Audit department. Some of these policies include: • • • • • We introduce and enforce prohibited activities policy which prohibits bribery facilitation payments or free goods to foreign officials; We require a cross-functional review of discounts and commissions outside of established, written standards; We require a multi-point matching process in Accounts Payable that compares contracts to executive approvals to requests for payment; We strictly coach and audit business operations involving travel, gifts, entertainment, and gratuities; and, We do not allow single point approvals anywhere in the control environment. When was your last independent anti-corruption /anti-bribery program audit? • We’ve scheduled one for next quarter. 56 | P a g e
on an annual basis. Our Ethics Program is maintained by our Ethics Counsel and led by our CEO. She has a copy of the Code ...

Dear Jon, Joe, and Harry

 

I'd like to know more about how my company can improve it's compliance programs and how you can help us train all our employees - from the boardroom to the mailroom. Please also send me hard copies of your anti-bribery leadership book so I can distribute to my leadership. I've noted how many I need and to whom they'll be going to.


Company
Primary Contact
Title
Email
Telephone
Address:
Preferred Contact
How Can We Help?


“Put simply, the prospect of significant prison sentences for individuals should make clear to every corporate executive, every board member, and every employee that we seek to hold you personally accountable for FCPA violations.” Lanny Breuer, Assistant Attorney General, Criminal Division, U.S. Department of Justice, February 2010 If you “believe” your organization is compliant because: (1) you provided training; (2) you have an “honest” culture; or (3) because a Federal investigator hasn’t told you otherwise, you may be putting the corporate enterprise at increased risk. There is a big difference between being “compliant” and having a “Compliance Program.” Thomas Fox and Jon Rydberg provide practical lessons pertaining to the FCPA, U.K. Bribery Act and broader Anti-Corruption /AntiBribery standards for Board Members, Chief Executive Officers, General Counsel and other corporate executives who seek to lower their enterprise risk profile by learning simple strategies from tested compliance veterans. Published by Tom Fox Law
   Put simply, the prospect of significant prison sentences for individuals should make clear to every corporate executive...